Tor Browser 5.5.3 is released

by boklm | March 8, 2016

Tor Browser 5.5.3 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

This release bumps the versions of several of our external components: Firefox to 38.7.0esr, OpenSSL to 1.0.1s, NoScript to 2.9.0.4 and HTTPS-Everywhere to 5.1.4.

Additionally, we fixed long-standing bugs in our Tor circuit display and window resizing code, and improved the usability of our font fingerprinting defense further.

The full changelog since 5.5.2 is:

Tor Browser 5.5.3 -- March 8 2016

  • All Platforms
    • Update Firefox to 38.7.0esr
    • Update OpenSSL to 1.0.1s
    • Update NoScript to 2.9.0.4
    • Update HTTPS Everywhere to 5.1.4
    • Update Torbutton to 1.9.4.4
      • Bug 16990: Don't mishandle multiline commands
      • Bug 18144: about:tor update arrow position is wrong
      • Bug 16725: Allow resizing with non-default homepage
      • Translation updates
    • Bug 18030: Isolate favicon requests on Page Info dialog
    • Bug 18297: Use separate Noto JP,KR,SC,TC fonts
    • Bug 18170: Make sure the homepage is shown after an update as well
  • Windows
    • Bug 18292: Disable staged updates on Windows

Comments

Please note that the comment area below has been archived.

one of the pedos had javascript activated. if you catch one greedy of them, you catch all them greedy.
stupid pedos.. they deserved it! i myself would install a backdoor into tor to catch all those childf****ng guys and bust them. But unlucky me is not member of tor creators :D

March 08, 2016

Permalink

The about:tbupdate tab loads every time when i start the browser since this update, how to switch this off?

March 08, 2016

Permalink

TAILS 2.2 is out, i haven't test it, yet.

Problem is i need editing the torcc file when booting from DVD. Bridges are no substitute!
Booting from USB is no substitute, too.
I Hope, Tails distributors have considered that,
torcc editing, hasn't seen in the docs.

The only bad alternative would be using old TAILS. Or mabe don't using Tor anymore.

March 08, 2016

Permalink

Time wrap on restart

[geshifilter-code]
Mar 09 06:30:13.000 [notice] New control connection opened from 127.0.0.1.
Mar 09 06:30:13.000 [notice] New control connection opened from 127.0.0.1.
Mar 09 06:31:36.000 [notice] Owning controller connection has closed -- exiting now.
Mar 09 06:31:36.000 [notice] Catching signal TERM, exiting cleanly.
Mar 09 04:31:39.553 [notice] Tor v0.2.7.6 (git-7a489a6389110120) running on Linux with Libevent 2.0.22-stable, OpenSSL 1.0.1s and Zlib 1.2.3.3.
Mar 09 04:31:39.553 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
[/geshifilter-code
]

March 08, 2016

Permalink

Hello (torproject),
https://blog.torproject.org/blog/tails-22-out
has no Comment, support-feedback-visit the Support section is complicated, so i try it here:

In older TAILS versions -with Vidalia- i can edit the torcc file easy. Important.
I like Tails and i use it sometimes on DVD, no USB!(read the HackingTeam archive and you know why).
Very convenient -with VIDALIA !- and you see the complete relay list with country and the Fingerprint, nice for editing the torcc.

Bridges are NO substitute for the capability to editing the torcc -in Tails, too. With some exclamation points.

Onion Circuits -on tails.boum.org- looks rudimentarely, only )-: sorry, i like Tails.
Can i do this -editing torcc normal- in the new version of TAILS with"Onion Circuits"?
May with arm, with the persistence feature? Bad hacks like manually searching, editing torcc -really bad with DVD-booting and no complete relay list?
Can you answer?

Thanks for reading

March 09, 2016

In reply to by Anonymous (not verified)

Permalink

" Can i do this -editing torcc normal- in the new version of TAILS with"Onion Circuits"? "

torcc editor is gone? Would be bad, very bad. Hope this is only a rumour. Vidalia was well thought-out.

March 08, 2016

Permalink

Thank YOU for hard job !!!!! T H A N K S !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

March 08, 2016

Permalink

What's going on with entry relays? I had install fresh TBB for windows 50 times and every time entry relay was the same from France, Germany or Netherlands. Is it safe to use only 3 entry relays for all users of the Tor network?

Same here.....same thing, Germany, France and Netherlands exact same order, exact everything. no matter where i or how many times i refresh he exact same entry From Germany.

1st.) thank you guys so much for everything you do, your time, your work everything you do is awesome. 2.) same thing here, same exact entry, no matter where i go or what i do.

Limiting the entry relay to one protects from the eventuality of randomly selecting an entry relay and exit relay that are collaborating.

Imagine using Tor to browse the web and one time you are unlucky and pick and entry/exit pair operated by the same entity. By using a timing attack, that entity now knows with complete certainty your IP address and destination. All it takes is one time.

The odds of eventually choosing collaborating relays at both ends of the Tor circuit are surprisingly high when using a pool of entry relays. By using only one, as long as you weren't unlucky with that first choice, those odds are sharply reduced.

Since the single point of entry can be deduced by monitoring a user, wouldn't adding a relay to the chain be preferable?

March 08, 2016

Permalink

Can U guys do anything about saving passwords? I cant do that I have to write in same thing everytime

March 09, 2016

Permalink

hi boklm please give me a clear answer: is tor safe on http sites? or isp can track my traffic on target site ?

The problem is that it loads the page fresh from the server without using the credentials from the rendered page. So if I want to look at the source for a page in a site that requires a login, I'll get the source for the login page, or whatever. Why on earth doesn't the browser just use the source from it's own cache?

March 09, 2016

In reply to gk

Permalink

"I assume you don't have that problem in a normal Firefox browser?"
I have no idea. I use Chrome for my non-Tor browsing.

March 09, 2016

In reply to gk

Permalink

Now that I've read that ticket, it sure sounds like the same bug. Someone suggests using Firefox development tools to view the source. What's the quickest was to invoke that?

My experience with regular Firefox, not TBB, may help:
on the regular html page, select all (Ctrl+A), then context click view source.
The source apparently is as rendered not as received.
I discovered this while fiddling with rss news feeds, which render very differently than as received.

If that doesn't work for you, maybe there' a Firefox pref?

March 09, 2016

Permalink

do you intend to add something like 'Onion Circuits' to TBB?

i would like to know who i am connected to.
'Tor circuits for this site' shows just IP addresses i'm not able
to handle.

March 09, 2016

In reply to gk

Permalink

but vidalia shows me all circuits, destinations and NAMES of the
relays instead of IPs only. this is much better for those who want
to see what FF and Tor does.

Old versions of TBB has had the great tool Vidalia; canceled.
The only alternative was Tails.Have seen 'Onion Circuits' on the documents(homepage) and it's looking strong cut back. Vidalia has been unmaintained for years but unsecure enough to cancel it in Tails?
If 'Onion Circuits' has not the same practicality like Vidalia(goodlokin' relay list, editing tor behaviour, Message Log etc.),
Tails would be a Gadget only.........)-:. I hope it isn't so.

Yes, being unmaintained for years is a very valid reason to stop using it. Even if it was secure (very questionable,) it was a GUI control for tor and tor is still currently under active development.

There are alternatives that include at least some of the functionality (see https://www.atagar.com/arm/;) they do not, however, include the nice map display that was pretty but unnecessary. Most people used Vidalia for the map display. I did, with the exception of requesting new circuits, which is functionality best left to Tor Browser at this time (because it can do new circuits for individual sites in addition to all connections.

"There are alternatives ... (see https://www.atagar.com/arm/;)".

With Vidalia in Tails you had a smart, usefull, handy Tor GUI.
With Onion Circuits you have nearly nothing?
With Vidalia and arm you can close connections, you have a complete relay list, you can edit the torcc(some tor user like it to have normal Guard security......., the Tails developers obvious not?).

Without Vidalia and with Onion Circuits Tails is a -little bit- *WTF*. I'm speechless.
I like handy innovation but Onion Circuits is not. It is cripple(sic!) Tails. Sorry, i wannabe constructive.

+1 to adding the new "onion circuits" tool

I'm glad to hear the Tor Button circuit display bugs are fixed but I just got a "Secure connection failed" error (probably due to a bad exit) and Tor Button didn't show me the circuit that caused it. (It did show my new circuit after I selected "New Tor Circuit for this Site" and loaded the page, and so far it has shown circuits for every successful page load I've tried, but I want cicuit display for unsuccessful requests like SSL errors).

your IP based circuit information is crap.
i'm still using vidalia standalone especially to terminate suspicious
circuits like

EntryNode 1 - random relay - EntryNode 2 or
EntryNode 2 - random relay - EntryNode 1
(both among ExcludeExitNodes ... and StrictNodes 1)

OR

the 1st is busy and the 2nd EntryNode is building this:

EntryNode 2 - random relay - static Exit (=always the same ExitNode)

you call it feature - i don't want such circuits.

March 09, 2016

Permalink

cool

March 09, 2016

Permalink

Iam nearly new with TBB and have questions:

-Is it normal the 3 Guards are rotating, with every new TBB start i get
random 1 of 3 Entry Guards ?

-How can i set a fix/1 Entry Guard?
There is no entry in the manual for setting a fix Entry Guard?

I am a little bit confused.

March 09, 2016

Permalink

Security question

A company called Bluecoat, is offering "SSL Interception" tools and methods. Company-site: bluecoat.com .
Are encrypted connections on Tornetwork and especially on exit-nodes vulnerable for interception techniques offered by this and probably other companies?

Does, or can Torbrowser warn for this "ssl interception" or must a user always on every website do a manual ssl encryption to check the validity of the offered certificate in the browser-lock? Does anybody do that? All the time?
What are a good practices on this matter?
Or isn't it a matter at all, and why so?

Thank you in advance for hopefully answering my question.

"user always on every website do a manual ssl encryption to check the validity of the offered certificate in the browser-lock (icon)"
I may have this wrong, but AFAIK the browser checks the site certificate against certificates installed.
Certificate revocation check seems more on-the fly, but I don't know....

Excuse me for my crippled sentence
The sentence:
"Does, or can Torbrowser warn for this "ssl interception" or must a user always on every website do a manual ssl encryption to check the validity of the offered certificate in the browser-lock?
Had to be more like this:
Does, or can Torbrowser warn for this "ssl interception" or must a user always on every website do a manual ssl check by manually checking the validity of the offered certificate in the browser-lock? Therefore looking at "more information", "View certificate" and then find out if the certificate really is belonging to / assigned to the owners of the website you are visiting.

Now, the reason for this question is that people who are against Tor try to convince others that Tor is a unsafe technique because it is not protected to MitM interception even on encrypted connections.
The idea is that MitM attacks can take place on an exit node by using another certificate so the user actually sees a lock in the url bar but when manually checking could find (or not) out that this is not the right certificate but simply an intermediate certificate of the interceptor.

So, what I would know if it's is possible to intercept an encrypted connection on an exitnode and decrypt this (I hope not) while letting the user believe that it is using the original encrypted connection because it will see a lock in the url bar.

I see over and over again people saying that this kind of interception attack is possible and therefore that using Torbrowser over the Tornetwork is unsafe because one never could know (directly) if the information the Torbrowser user is sending over a fully encrypted connection is intercepted.
Although I got the impression that this is probably not possible, I would rather see a clear answer to that matter so that if people start using these kind of "Tor is not secure reasons" again we could refer to the answer on Torproject space.

I'm not familiar with this specific company, but the way these things generally work is that the proxy generates its own certificate for every site you attempt to visit. So unless you have the proxy's CA certificate installed in your browser you'll see a big scary error message.

If you (a Tor user) are behind such a proxy, you will probably find that you're unable to connect to the Tor network at all, except possibly via pluggable-transport bridges.

If an exit node is behind such a proxy, then anyone who uses that exit node (assuming they're using the Tor Browser) will see an error message when they try to visit an HTTPS site. If you find such an exit node you should report it so it can be blacklisted.

March 09, 2016

Permalink

Window maximizing was finally fixed! After months and months and months of ignoring a basic usability problem.

March 10, 2016

In reply to gk

Permalink

With broken I mean when I click maximize button window briefly maximizes, then immediately goes back to the size it was started with.

Never mind though. After I rearmed extensions.torbutton.maximize_warnings_remaining to 1 and dismissed warning about maximizing window, it seems to work fine again.

March 15, 2016

In reply to gk

Permalink

Sorry, but it seems like I had misinformed you. extensions.torbutton.maximize_warnings_remaining is unrelated. And it is about:tor start page, that is preventing maximization. Once closed maximizing window is working.

Interesting. So, could you give me some steps to reproduce? Ideally, starting from a clean 5.5.3 bundle? If that clean bundle does not exhibit the problems what modifications did you make?

I just checked that now. It looks like te window maximizes as any window maximizes. Isn't this a fingerprinting risk? Or does tbb send a fake window size that is a near size? or???

March 11, 2016

In reply to gk

Permalink

i have never seen any warning.
Maximizing is reflex action from regular browser use.
However, I use a "Fit To Width" bookmarklet on many websites.

Many months ago, TBB had horrible response when clicking maximize. TBB window would blow up to multiples of display size. Then trying any size adjustment would send TBB off-screen.
Now, when click maximize button, TBB responds as normal app responds (maximizes). I'm using Windows OS.

March 11, 2016

In reply to gk

Permalink

I read a few comments above about maximize warning pref.
Inexplicably to me, my pref was "user set" to
extensions.torbutton.maximize_warnings_remaining;-1
though I don't recall this pref and wouldn't have disabled the anti-fingerprinting feature.

I reset the pref then, while still in about:config, a local url, I clicked maximize. TBB obeyed, but showed a yellow warning bar. Clicking OK button caused the pref value to increment down from 3 to 2. Apparently I have dismissed the warning (after accidentally maximizing) 4 times (setting values to 2, 1, 0, then finally to -1)

My opinion:
Clicking "OK" should only dismiss the warning. Perhaps instead of eventually disabling the warning, the warning message should only hint at how to disable warnings by editing the pref.

------------------
For convenience of comment readers, this url will show the pref
about:config?filter=maximize

March 10, 2016

Permalink

hello,
i can not see bengali language in tor browser... can u pls tell me ,how can i fix it......it will be very help full for me....

thanks

March 10, 2016

Permalink

question:
in TBB-Linux/tails, you can copy URL, open new tab, click with mouse-middle-wheel in new tab and this URL is loading.

In TBB-MSWindows you do the same and URL is not loading. How configure to have same behaviour like TBB-Linux/tails?

March 10, 2016

Permalink

Youtube changed something on their website and now the videos wont play directly on TOR browser and I can't forward/rewind videos. Anyone else having this problem?

I am also experiencing this problem.

I also noticed on youtube no longer seeing the warning about "this website trying to extract HTML5 canvas image data" that I always used to see when temporarily allowing all on this page via noscript. I can see the forward/rewind/timeline if I turn it on via right click in image area, but it does not work correctly. i.e. I cannot click on controls for timeline so cannot get it to move timeline and timeline controls disappear when I hover over the controls for timeline etc.

For me on Windows, it will play the first 20 seconds or so with no visible controls. If I right-click during that time I have some basic controls. After the 20 seconds, the rest of the page loads (comments, thumbnails for other videos), but playback stops and is replaced by a static image. Not sure if this is due to a Youtube change (but seems likely) or a difference between TBB 5.5.2 and 5.5.3.

March 10, 2016

Permalink

TBB package should be smaller or the Tor network should be faster, or updated from Bittorrent network like Tails if it is possible...

March 11, 2016

Permalink

recently i switched from siphone3 to TOR ,since am new in here i got to see how good is TOR and i hope it would not get cut off a lot and stay on for long time ,,,,,,,,thanks

March 11, 2016

Permalink

HTTPS Everywhere?

Only sometimes i see HTTPS Everywhere infos in Tools(Menu Bar), on an HTTPS Everywhere database entry. Especially if i want to see
URL is in the database before i load site.
If i want see it reliable everytimes, i must set it in the Toolbar.
Is this a failure or normal?

Second question:

How can i see Tor log in Windows with TBB? With setting different info
levels(notice,warn,error).
In past you can use Tails for using Tor and have a APPROPRIATE
level of handling and info.
NOW with Tails you get TBB as a gadget? *W T F*

March 11, 2016

Permalink

On just one Windows 8.1 desktop computer, all attempts to update from 5.5.2 to 5.5.3 fail. On restart Tor always gives "Could not load XPCOM"

xpcom is Firefox. Maybe that exact message, "Could not load XPCOM" is in support.mozilla.org, or on mozillazine forum?

but also,
when i have any problem with firefox restart, I check task manager (start, run, taskmgr.exe). if firefox.exe is invisibly running, you'll see it in taskmgr list.
kill firefox in the list, then try starting TBB.

What do you mean with "previously"? Which version worked for you? Do you have a link to a screenshot showing your problem? Which operating system and which Tor Browser bundle are you using?

March 12, 2016

Permalink

Will the new version 5.5.3 sometimes still use three nodes within the same country? I feel this is unwise coding and use separate IP blocking software.

Keep up the good work.

March 13, 2016

Permalink

Can someone tell why it's not possible to download the Firefox Addons via a TBB on Windows OS?

When I go to https://addons.mozilla.org/en-US/firefox/
pick any Addon extension, right-click on the + Add to Firefox button, and select Save Link As... it fails, TBB downloads a 0 Byte empty file onto the hard drive.

March 14, 2016

In reply to gk

Permalink

To be more specific, if I Right-click the + Add to Firefox button in the upper part of any addons webpage, I get the following pop-up window message:
Download Error
The download cannot be saved because an unknown error occurred.
Please try again.

....but, if I scroll down to the bottom of the addons page and click/open up "Version Information" portion, TBB downloads the XPI file, but it is a 0 Byte file.

Further, if I Left-click on the upper button I get the:
The add-on could not be download because of a connection failure on addons.mozilla.org
but when clicking on the button lower down in the "Version Information" portion of the web page, it installs properly into the browser.

I found some further information on this web-site explaining:
https://hacks.mozilla.org/2016/02/implementing-content-security-policy/
The add-ons team recently completed work to enable Content Security Policy (CSP) on addons.mozilla.org (AMO). This article is intended to cover the basics of implementing CSP, as well as highlighting some of the issues that we ran into implementing CSP on AMO.

March 15, 2016

Permalink

Are there any issues with Tweetdeck? Tor users have been blocked for over a month. Twitter owns Tweetdeck.

March 19, 2016

In reply to gk

Permalink

When trying to log into Tweetdeck, we aren't able to. First it would just land back on the login page. Now it says there's a bad request.

Yes I've now tried "Restrict third party cookies" in the "Privacy & Security Settings" after seeing that link being tweeted by a Tweetdeck employee. Myself and others can now log in. We just have to be careful where else we go on Tor while third party cookies are enabled. After logging out of Tweetdeck, I block third party cookies in "Privacy & Security Settings".

Many on twitter had assumed tweetdeck was blocking Tor users which was odd considering twitter owns tweetdeck.

March 15, 2016

Permalink

hi,
can anyone tell what i need to do to load this site www.spadesplus.com using google account ... it keeps loading but never actually loads ... i tried allowing everything but it never loads ... why does this site never loads can anyone answer me? i can load other site with flash player but not this site.

March 17, 2016

Permalink

Ебать ,всё по Англйски...чё русских нету чтоли тут ?

Да есть конечно, просто не все понимают как коммент написать)))

March 17, 2016

Permalink

I'd like to know if this behavior of onion circuit / tor circuit / exit node is safe. I'm using tor-browser-linux64-5.5.3_en-US screenshots provided.

Is that a bug?
Is it targeting / hacking ?

http://s28.postimg.org/cx4fbtqwd/Screen_Shot_01_2016_03_17.png
http://s28.postimg.org/3t60bdpbh/Screen_Shot_02_2016_03_17.png
http://s28.postimg.org/eu15gehkd/Screen_Shot_03_2016_03_17.png
http://s28.postimg.org/93az2o9kd/Screen_Shot_04_2016_03_17.png

March 18, 2016

Permalink

Here's a question that I don't think has been asked before.

Ip-check.info displays a lot of information. At the right of the correctly detected ip, as confirmed by the green TOR onion as: "Tor circuit for this site", it offers a Traceroute.

If the ip-check.info site can only see the last (exit) node, how can it give, in one case, information on eleven hops up to that exit node?

March 18, 2016

Permalink

ok

March 18, 2016

Permalink

hello,
can u pls help me .. how can I read Bengali front in tor browser ?

it will b very helpful for me .

cloudflare captchas never work for me. i use google cache, though some web pages aren't in google cache.

here is example of google cache url
https://webcache.googleusercontent.com/search?q=cache:https%3A%2F%2Fblo…

you can create a keyword search bookmark
or
a search plugin at mycroft. http://mycroftproject.com/search-engines.html?name=google+cache
I would first try the search plugin by "anon".

text editors can easily edit search plugins.
on windows, the files are in \Browser\browser\searchplugins\

Same here, I use a search engines cache or proxy link if such exists, Cloudflare is an absolute PITA!
Also, when Google Captcha pops up as a Cloudflare gatekeeper is, I believe, they do some network analysis soft-hacking by measuring load and transient behaviour of the network and some other type of fingerprinitng stuff in order to estimate your location etc.
The scary part for us here in EU for instance, is all those CDN (Content Delivery Network) providers such as Akami which is an American company, but also Cloudflare and others. I read some years back, already then the CDN covered some 40% of all network bandwidth in Europe and probably much more these days, those CDN's are very scary things, X-Eyes, Echelon... :O